Hi
I'm using Mediafront to display a webm. It works. If I edit the source, and search for webm, I can find :
http:\u002F\u002Ftheraph.com\u002Fpodi4\u002Fsystem\u002Ffiles\u002Fpodifoot2\u002Fap93.webm
in the jQuery part.
after trimming it went :
http:\\theraph.com\podi4\system\files\podifoot2\ap93.webm
I opened Opera. Not logged in and pasted this.
I could download the file !
I didnt know anti-slashes would fit, though.
My private folder is above root. My filefield is private download. I checked the instant when my file has been copied. It is there.
My cleans url are not activated. Although, /?q=system and system work both. I dont copy.
How could this be possible ?

Comments

travist’s picture

travist CreditAttribution: travist commented
Status: Active » Closed (won't fix)

I don't see how this is a MediaFront issue, since Mediafront doesn't really care if the file system is private or public. It treats the media the same and also does not do anything to the file system. There is no way that MediaFront could be exposing your video as public when it is in a private file system. This is most likely something that needs to be a Drupal core question.

artatum’s picture

artatum CreditAttribution: artatum commented

It was not a 'mediafront issue', but sometime you need some help, form somebody.

webel’s picture

webel CreditAttribution: webel commented
Issue summary: View changes

Cross-posting: MediaElement: #1082342: Hide from source the media URL.

I agree this is probably a core filesystem issue, and I consider it quite a serious one.

For the sake of demonstration, I don't mind if people test "breaking" this live on this file:

http://drupal7demo.webel.com.au/system/files/mfvideo/ooe-demo-netbeans-i...

That file was uploaded to the private filesystem and into a subfolder .../files/private/mfvideo under .htaccess protection, using a File field for display with MediaFront.

It is easy to load the video file directly in any browser or just pull it by URL with 'curl' or 'wget'.

I don't have any suggestions for solutions, however it is quite a serious media security/protection problem.